The invention relates to computer security systems and methods, and in particular, to systems and methods for protecting hardware virtualization environments from computer security threats.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, rootkits, spyware, and unwanted adware, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others.
Computer security software may be used to protect computer systems from malicious software. Commonly used methods of detecting and combating malware include signature matching and behavioral methods. Signature-based methods attempt to match a section of code of a target software entity to a collection of code snippets extracted from software known to be malicious. Behavioral methods generally comprise detecting the occurrence of an event caused by or occurring during execution of a target software entity, and analyzing the respective event to determine whether it indicates a potential security threat.
Conventional event detection typically relies on a class of methods known in the art as hooking. Such methods are often vulnerable and may be thwarted by malicious software. Furthermore, conventional behavioral methods usually suspend execution of the entity that caused a detected event, while the respective event is analyzed for indicators of malice. Such suspensions may negatively impact user experience, especially in hardware virtualization configurations wherein security software executes outside a protected virtual machine.
There is a continuing interest in improving the efficiency of computer security systems and methods, and in particular in developing systems and methods that address the above shortcomings related to event detection and analysis.